Re: How can I start SELinux play machine ?

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Thu, 18 Feb 2010 17:06:48 -0500

On 02/18/2010 04:44 PM, Dominick Grift wrote:

  On 02/18/2010 10:17 PM, Shintaro Fujiwara wrote:

    Hi, I 'm ready to start SELinux server in my office first time, and I
want to persuade everyone how safe the SELinux server is.

How can I demonstrate administrators and my boss the advantage of
SELinux comparing other servers?

SELinux play machine hit me but is too far or should I just
demonstrate in a certain ocassion for certain purpose?

  It depends a bit on your distro and policy model.

But generally you can demonstrate how TE enforces integrity for targeted
system daemons.

If you use strict policy you can also enforce integrity for user
processes. You can also demonstrate role based access control.

You can demonstrate how MCS can be useful to restrict processes access
to objects.

If you use MLS model you can demonstrate enforcement of confidentiality.

I never actually connected to play machine but i gather it mapped the
root Linux login to the user_u SELinux user.

There are a lot of ways to demonstrate SELinux. You could restrict a
simple hello world shell script and shows what happens if you extend the
script to make it do something it is not intended to do.

Same goes for webapplications. You could write a webapp and make it do
something that SELinux policy does not allow it to do.

Generally TE tries to prevent privilege escalation. It restricts processes.

    Thanks in advance.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

Simple demonstration in Fedora 12.  Create a script.

cat > /usr/bin/showshadow << _EOF

#!/bin/sh

id 

cat /etc/shadow

_EOF

chmod +x /usr/bin/showshadow

showshadow

uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

root:*:::

bin:*:14043:0:99999:7:::

daemon:*:14043:0:99999:7:::

adm:*:14043:0:99999:7:::

lp:*:14043:0:99999:7:::

sync:*:14043:0:99999:7:::

shutdown:*:14043:0:99999:7:::

halt:*:14043:0:99999:7:::

mail:*:14043:0:99999:7:::

news:*:14043:0:99999:7:::

uucp:*:14043:0:99999:7:::

operator:*:14043:0:99999:7:::

games:*:14043:0:99999:7:::

gopher:*:14043:0:99999:7:::

ftp:*:14043:0:99999:7:::

nobody:*:14043:0:99999:7:::

vcsa:!!:14043:0:99999:7:::

distcache:!!:14043:0:99999:7:::

nscd:!!:14043:0:99999:7:::

tcpdump:!!:14043:0:99999:7:::

# sandbox showshadow 

uid=0 gid=0 groups=0,1,2,3,4,6,10
context=staff_u:unconfined_r:sandbox_t:s0:c512,c625

cat: /etc/shadow: Permission denied

To see the error message

# ausearch -m avc -ts recent

----

time->Thu Feb 18 17:03:36 2010

type=PATH msg=audit(1266530616.620:1997): item=0 name="/etc/shadow"
inode=5688120 dev=fd:01 mode=0100400 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:shadow_t:s0

type=CWD msg=audit(1266530616.620:1997):  cwd="/tmp"

type=SYSCALL msg=audit(1266530616.620:1997): arch=c000003e syscall=2
success=no exit=-13 a0=7fff6bb88798 a1=0 a2=7fff6bb88120 a3=a items=1
ppid=26934 pid=26938 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 ses=3 comm="cat" exe="/bin/cat"
subj=staff_u:unconfined_r:sandbox_t:s0:c512,c625 key=(null)

type=AVC msg=audit(1266530616.620:1997): avc:  denied  { open } for 
pid=26938 comm="cat" name="shadow" dev=dm-1 ino=5688120
scontext=staff_u:unconfined_r:sandbox_t:s0:c512,c625
tcontext=system_u:object_r:shadow_t:s0 tclass=file

grep shadow /var/log/messages

Feb 18 17:03:42 localhost setroubleshoot: SELinux is preventing
/bin/cat "open" access on /etc/shadow. For complete SELinux messages.
run sealert -l 95108dbb-8254-4a00-886d-028bafa4996a

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux